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Abstract 

We propose a "cryptographic" interpretation for the propositional 
connectives of primal infon logic introduced by Y. Gurevich and I. Nee- 
man and prove the corresponding soundness and completeness results. 
Primal implication ip -^p corresponds to the encryption of with a 
secret key primal disjunction Vp V is a group key and _L reflects 
some backdoor constructions such as full superuser permissions or a 
universal decryption key. For the logic of _L as a universal key (it was 
never considered before) we prove that the derivability problem has 
linear time complexity. We also show that the universal key can be 
emulated using primal disjunction. 



1 Introduction 

Primal Infon Logic ([1], [2], [3], [5]) formalizes the concept of mfon, 
i.e. a message as a piece of information. The corresponding derivability 
statement T \- means that the principal can get (by herself, without any 
communication) the information 99 provided she already has all infons "0 G F. 

Primal implication (— j-p) that is used in Primal Infon Logic to represent 
the conditional information is a restricted form of intuitionistic implication 
defined by the following inference rules: 



These rules admit cryptographic interpretation of primal implication (f — >-p 
ip as some kind of digital envelop: it is an infon, containing the information -0 
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encrypted by a symmetric key (generated from) ip. Indeed, the introduction 
rule (— J-p /) allows to encrypt any available message by any key. Similarly, 
the elimination rule (— )-p E) allows to extract the information from the ci- 
phertext provided the key is also available. So the infon logic incorporated 
into communication protocols ([1], [2]) is a natural tool for manipulating with 
commitment schemes (see [7|) without detailed analysis of the scheme itself. 



Example, (cf. [8|). Alice and Bob live in different places and communicate 



via a telephone line or by e-mail. They wish to play the following game 
distantly. Each of them picks a bit, randomly or somehow else. If the bits 
coincide then Alice wins; otherwise Bob wins. Both of them decide to play 
fair but don't believe in the fairness of the opponent. To play fair means that 
they honestly declare their choice of a bit, independently of what the other 
player said. So they use cryptography. 

We discuss the symmetric version of the coin flipping protocol from [8] in 
order to make the policies of both players the same. Consider the policy of 
one player, say Alice. Her initial state can be represented by the context 

Y = ^Asaidmai Asaidka, A IsTrustedOn rua, A IsTrustedOn ka}, 

where infons and ka represent the chosen bit and the key Alice intends to 
use for encryption. Her choice is recorded by infons A said rria and A said ka 
where A said is the quotation modality governed by the modal logic K Alice 
simply says, to herself, the infons and ka- 

The remaining two members of F reflect the decision to play fair. The 
infon X IsTrustedOn y abbreviates (X said y) — )-p y. It provides the ability 
to obtain the actual value of y from the declaration X said y, so Alice can 
deduce the actual nia and ka she has spoken about. 

The commit phase. Alice derives nia and ka — )-p nia from her context 
by rules (— )-p E), (— >p /) and sends the infon ka — j-p riia to Bob. Bob acts 
similarly, so Alice will receive a message from him and her context will be 
extended to 



The reveal phase. After updating the context Alice obtains ka by rule 
(— T-p E) and sends it to Bob. He does the same, so Alice's context will be 



^ The only modal inference rule that is used in this paper is X said f, X said (ip — >-p 
ip) \- X said ip. It is admissible in K. For more details about modalities in the infon logic 
see [4],[5]. 



r' = r U {B said {kb — i-p rrib)}. 



T" = ru{B said kt}. 
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Now by reasoning in K Alice deduces B said nih. She also has A said nia, 
so it is clear to her who wins. Alice simply compares these infons with the 
patterns B said 0, B said 1 and A said 0, A said 1 respectively. 

The standard analysis of the protocol shows that Bob will come to the 
same conclusion. Moreover, Alice can be sure that she is not cheated provided 
she successively follows her policy up to the end|!l The same with Bob. 

Note that infon logic is used here as a part of the protocol. It is one of 
the tools that provide the correctness. But it does not prove the correctness. 
In order to formalize and prove the correctness of protocols one should use 
much more powerful formal systems. ■ 

We make our observation precise by defining interpretations of purely 
propositional part of infon logic in "cryptographic" infon algebras and prov- 
ing the corresponding soundness and completeness theorems. 

In Section [2] this is done for the system P which is the {T, A,— J-p}- 
fragment of infon logic. We also show that the quasi-boolean semantics for 
P (see [H) is essentially a special case of our semantics. 

In Section [3] we show that _L can be used to reflect some backdoor con- 
structions. Two variants are considered: system P[-L] from [1] with the usual 
elimination rule for ± and a new system P[-L^] with a weak form of elimi- 
nation rule for ±. The first one treats ± as a root password, and the second 
one — as a universal key for decryption. For almost all propositional primal 
infon logics the derivability problem has linear time complexity. We prove 
the same complexity bound for P[-Lu;] in Section |H 

Finally we consider a system P[Vp] which is the modal-free fragment of 
Basic Propositional Primal Infon Logic PPIL from [S]. The primal disjunc- 
tion Vp in P[Vp] has usual introduction rules and no elimination rules. We 
treat it as a group-key constructor and provide a linear time reduction of 
P[_L^] to P[Vp]. It thus gives another proof of linear time complexity bound 
forP[±J. 

^ Here we suppose that the encryption method is practically strong and unambiguous. 
It is impossible for a player who does not know the encryption key to restore the plaintext 
from a ciphertext. It is also impossible for him to generate two key- message pairs with 
different messages and the same ciphertext. 
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2 Semantics for {T, A, fragment 

Let S be a finite alphabet, say S = {0, 1}. Let us fix a total pairing function 
71 : (E*)^ E* with projections /, r : S* -)■ S*, where E* is the set of all 
binary strings, 

/(7r(x, y)) = X, r(7r(x, y)) = y, (1) 
and two functions enc, dec : (S*) ^ S* such that enc is total and 

dec{x , enc{x , y)) = y . (2) 

String enc{x, y) will be treated as a ciphertext containing string y en- 
crypted with key x. Function dec is the decryption method that exploits the 
same key. In this text we do not restrict ourselves to encryptions that are 
strong in some sense. For example, enc{x, y) may be the concatenation of 
strings x and y. Then dec on arguments x, y simply removes the prefix x 
from y. The totality of functions /, r, dec is not supposed, but the left-hand 
parts of ([1]) and ([2]) must be defined for all x, y G E*. 

We also fix some set i? C S*, i? 7^ 0. It will represent the information 
known by everyone, for example, facts like < 1 and 2-2 = 4. The structure 
A = (S*, TT, / , r, enc, dec, E) will be referred as an infon algebra^ 

Definition 2.1 A set M C S* will be called closedif E C M and M satisfies 
the following closure conditions: 

1. a, be M ■^7r{a,b) G M, 

2. a, enc{a, b) e M ^be M, 

3. aeJ:*,be M ^ enc{a, b) G M. 

A closed set M represents the information that is potentially available 
to an agent in a local state, i.e. between two consecutive communication 
steps of a protocol. The information is represented by texts. M contains 
all public and some private texts. The agent can combine several texts in a 
single multi-part document using vr function as well as to extract its parts 
by means of / and r. She has access to the encryption tool enc, so she can 

■^We use this term differently from [2] where infon algebras are semi-lattices with infor- 
mation order "x is at least as informative as y" . 
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convert a plaintext into a ciphertext. The backward conversion (by dec) is 
also available provided she has the encryption key. 

Note that in the closure condition 3 we do not require that a G M. The 
agent will never need to decrypt the ciphertext enc{a, b) encrypted by herself 
because she already has the plaintext b. The key a can be generated by 
some trusted third party and sent to those who really need it. This is the 
case when the encryption is used to provide secure communications between 
agents when only the connections to the third party are secure (and the 
authentication is reliable). On the other hand, some protocols may require 
the agent to distribute keys by herself. Then she can use a key that is known 
to her or get it from the third party. In the latter case a will be available 
in her new local state that will be updated by the communication with the 
third party. 

The natural deduction calculus for primal infon logic P is considered in 
The corresponding deriv ability relation F h is defined by the following 
rules: 

T \- Lp T \- Lpi T ,Lpi\- Lp2 

{Weakening) {Cut) 



T \- Lfi T \- T \- ipi A(p2 

— — (A/) — {AE.) {^ = l,2) 

T\- ipiAip2 r h 

r h ^ r h r h , 
7^7 (-^p ^) 7^ i^pE). 

I \- Lpi ip2 T \- ip2 

Here (p, ipi, ip2 are infons, i.e. the expressions constructed from the set At of 
atomic infons by the grammar 

if :■= T \ At \ {Lp A ip) \ {if -^p if), 

and r, A are sets of infons. 

As usual, a derivation of Lp from a set of assumptions F is a sequence of 
infons tpi, . . . ,Lpn where = f and each (fj^ is either a member of F U {T} 
or is obtained from some members of {(fj | j < A;} by one of the rules 

V^l A (p2 V2 (Pl -^p (P2 

ipi A (p2 ipi Vl -^p ^2 ^2 

It is easy to see that F h (/? iff there exists a derivation of p) from F. So 
rules like {Weakening) or {Cut) from the definition of derivability relation 
are never used in a derivation itself. 
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Definition 2.2 An interpretation (of the infon language) is a pair I = {A, v) 
where A = (S*, tt, I, r, enc, dec, E) is an infon algebra and v : AtU{T} — )■ S* is 
a total evaluation that assigns binary strings to atomic infons and to constant 
T, v(T) G E. We assume that v is extended as follows: 

v{ipi A ip2) = rc{v{ipi),v{ip2)), v{(pi -^p ip2) = enc{v{(pi),v{ip2)), 

v{T) = {v{v) l^ev}. 

A model is a pair (/, M) where / is an interpretation and M C E* is a closed 
set. 

In the paper [1] it is established that P is sound and complete with respect 
to quasi-boolean semantics. A quasi-boolean model is a validity relation |= 
that enjoys the following properties: 

• hT, 

• \= (pi A(p2 ^ \= (fii and |= ip2, 

• ^ ip2 ^ 1= V'l -^p V?2, 

• \= (pi^pf2 ^ ^ V^i or 1= ip2. 

An infon tp is derivable in the infon logic P from the context F iff |= F implies 
1= ip for all quasi-boolean models |=. 

It can be seen that the definition of a quasi-boolean model is essentially a 
special case of Definition 12.21 Indeed, suppose that atomic infons are words 
in the unary alphabet {|}. Then all infons turn out to be words in some 
finite alphabet Sq. Consider a translation : Sq — t- {0, 1}* that maps all 
elements of Sq into distinct binary strings of the same length, '"A"' = A for 
the empty word A and ""ai . . . a„"' = 'a^ . . . W for ai . . . , a„ G So- 

The corresponding infon algebra A and the evaluation v can be defined 
as follows: v{a) = '"a"' for a E At U {T}, 

7r{x,y) = ^Cx^A'y^y , enc{x,y) = x^^p~' y^y , E = {^T^}. (3) 

Projections and the decryption function can be found from ([1]) and ([2]). Note 
that for this interpretation the equality v{lp) = holds for every infon ip. 

Consider a quasi-boolean model |=. Let M be the closure of the set 
Mq = {'~'p~^ 11= ip}, i.e. the least closed extension of Mq. 
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Lemma 2.3 \= ijf v{ip) G M. 



Proof. It is sufficient to prove that the set M \ Mq does not contain words 
of the form v{f). Any element b E M \ Mq can be obtained from some 
elements of Mq by a finite sequence of steps 1,2,3 that correspond to closure 
conditions: 

1. x,y h^^C^x^A^y^y-, '"("' x '"A"' y '")"' i-)- x; x^A^ y^y i-^ y; 

2. X, ^^x^^p'^y^y ^ y; 

3. y^^Cx^^p-^y^^. 

The history of this process is a derivation of b from Mq with 1,2,3 treated 
as inference rules. Let b = v{lp) and foi, . . . , 6„ = 6 be the derivation. Consider 
the (partial) top-down syntactic analysis of strings 6i, . . . , 6„ using patterns 

■ -01 ■ ^^p^ ■ n^, ni ••• p- 

We replace all substrings that remain unparsed by v{a) where a = || . . . | is 
some fresh atomic infon. The resulting sequence ci, . . . , c„ is also a deriva- 
tion of b from Mq because any string of the from vli/j) has no unparsed 
substrings. All its members have the form c, = v{ipi) for some infons ipi. 
Moreover, (fi, . . . , (fn is a derivation of = in P from the set of hy- 
potheses r = {ipj \ Cj G Mq}. But 1= r and P is sound with respect to 
quasi-boolean models, so \= and b = v{lp) G Mq. Contradiction. ■ 

Theorem 2.4 T \- (f inP iff v{lp) G M for every model (/, M) with v{r) C 
M. 

Proof. The theorem states that the infon logic P is sound and complete 
with respect to the class of models introduced by Definition 12.21 The sound- 
ness can be proven by straightforward induction on the derivation of f from 
r. The completeness follows from Lemma 12.31 and the completeness result 
for quasi-boolean models (see |4]). ■ 

A set {vli/j) \ i/j E T} C Y]* will be called deductively closed if T h '0 
implies i/j E T for all infons ip, i.e. T is deductively closed in P. In the proof 
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of Lemma [2.31 we actually establish that the particular interpretation {A,v) 
is conservative in the following sense: the closure M of any deductively closed 
set Mo C S* does not contain "new" strings of the form v{ifj) ^ Mq. It is 
also injective: v{(pi) = v{(p2) implies = 1^2- An interpretation that enjoys 
these two properties will be called plain. 

Lemma 2.5 There exists a plain interpretation. 

The completeness part of Theorem 12.41 can be strengthened. 

Theorem 2.6 Let the interpretation I = {A, v) be plain. For any context T 
there exists a model {I, M) with v{T) C M such that F 1/ implies v{ip) ^ M 
for all infons tp. 

Proof. Let M be the closure of the set Mq = {^("0) I T h ifj}. Then 
f (r) C M. The set Mq is deductively closed, so M \ Mq does not contain 
strings of the form v{i/j). Suppose T \/ (p. Then v{ip) ^ Mq because the 
interpretation is injective. Thus v{ip) ^ M. u 



3 Constant 1. and backdoors 

_L as superuser permissions 

Infon logic P[-L] is the extension of P by additional constant _L that satisfies 
the elimination rule 

r h ± 

L \- ip 

The corresponding changes in Definition [22] follows. We add to the 
alphabet a new letter f ^ S and set S_l = S U {f }, f (-L) = f . Functions tt, /, 
r, enc, dec act on words from but still satisfy the conditions ([I]), ([2]). We 
suppose them to preserve S*: the value should be a binary string provided 
all arguments are. We also suppose that v{T) E E C T,* and v{ip) G S* for 
if E At and add new closure condition to Definition 12. It 

4. i e M ,a eJ:i^ a e M. 

Models for P[-L] are all pairs (/, M) where / is an interpretation and M is a 
closed set, both in the updated sense. The definition of plain interpretation 
is just the same. 
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Constant _L is some kind of root password that grants the superuser per- 
missions to its owner. The owner has the direct access to all the information 
available in the system without any communication or decryption. At the 
same time _L can be incorporated into some messages that will be used in 
communication. 

_L as universal key 

The root password provides the direct access to all the information in the 
system including private information of any agent that was never sent to 
anybody else. It is also natural to consider a restricted form of superuser 
permissions that protect the privacy of agents but provide the ability to 
decrypt any available ciphertext. It can be simulated by infon logic P[-Li„] 
with constant _L treated as a universal key. The corresponding inference rule 
is a weak form of (-L-E) rule, 



that has an additional premise T \- ip — )-p ip. So the owner of _L can get an 
infon only if she already has the same information as a ciphertext. The rule 
(J-E'u;) is really weaker than (J-E) because if) -^p ij) is not derivable in P. 

All definitions concerning models for P[-L«,] are similar to the case of P[-L] 
with closure condition 4 replaced by 

4'. f,enc(a,6) e M ^be M. 

Essentially we extend the signature of infon algebras by additional (partial) 
operation crack{x, y) that satisfies the equality 

crack{f, enc{a, b)) = b (4) 

and allow any agent to use it, so her local state satisfies the closure condi- 
tion 4'. 

Lemma 3.1 There exist plain interpretations for P[l.] and for P[J-y^]. 

Proof. We extend the example of plain interpretation for {T,A,— j-p}- 
fragment from Section [2] (see (|3])). Set '~_L~' = f and extend the interpretation 
in accordance with The resulting interpretation is plain in the sense of 
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P[_L]. Indeed, it is injective because f ^ S. It is also conservative. In order 
to prove this we use the construction from Lemma I2.3[ 

Let the set Mq = {v{ip) | -0 e T} C (S U {f})* be deductively closed and 
M be its closure. Suppose v{ip) E M \ Mq for some infon ^p. Then 6„ = v{(p) 
has a derivation fei , . . . , fe„ from Mq in the calculus with closure conditions 
considered as inference rules: 

2. X, ^Cx^^p~^y^y ^ y; 

3. y^^Cx^^Pyn^ 

4. f x. 

Consider the (partial) top-down syntactic analysis of strings bi, . . . ,bn using 
patterns 

Replace all substrings that remain unparsed by v{a) where a = 1 1 . . . | is some 
fresh atomic infon. The resulting sequence Ci, . . . , c„ is also a derivation of 
v{ip) from Mq because any string of the from f ('0) has no unparsed substrings. 
All its members have the form q = v{(fi) for some infons fi and (fi, . . . ,ifn 
is a derivation of ip = ipn in P[-L] from the set of hypotheses T. But T is 
deductively closed, so ip E Mq. Contradiction. 
Now set 



crack{x, y) :- 



b, if X = { andy = ^Ca^^p~'b^y, 

undefined, otherwise. 



It satisfies the condition (jl]), so the interpretation for P[-L^] is defined. One 
can prove in a similar way that the interpretation is plain (w.r.t. P[-L«,] ). ■ 



The completeness results from Section [2] hold for logics P[-L] and P[-L«,] 
too. The proofs are essentially the same with one difference: the quasi- 
boolean semantics from [1] does not cover the case of P[_Ltt,]. Let L be one 
of the logics P[J-] or P[±tt,]. 

Theorem 3.2 T \- ip in h iff v{ip) G M for every model {I, M) of L with 
viV) C M. 
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Proof. The soundness part can be proven by straightforward induction on 
the derivation of from F. The completeness follows from Lemma [3.11 and 
Theorem I3.3[ ■ 



Theorem 3.3 Let I he a plain interpretation o/L. For any context T there 
exists a model (/, M) o/L with v{r) C M such that T \/ (f implies v{ip) ^ M 
for all infons f. 

Proof. Similar to Theorem 12.61 ■ 



4 Decision algorithm for P[^u;] 

The derivability problems for infon logics P and P[-L] are linear time decid- 
able ([3], [1], [5]). We provide a decision algorithm for P[-Lw] with the same 
complexity bound. 

Definition 4.1 (Positive atoms.) In what follows we assume that the lan- 
guage of P also contains _L, but it is an ordinary member of At without any 
specific inference rule for it. Let 

At+{ip) = {if} for ipe AtU {T, ±}, 
At+{ip AiIj) = At+{ip) U At+{ij), 
At+{(p ip) = At+itjj). 

For a context F set At+{T) = [j^^^ At+{(p). 

Lemma 4.2 Let T h 1. m P[±J. Then F h m P[±J iff At^{ip) C 
At+(F). 

Proof. Suppose F h The inclusion Af^iip) C y4t^(F) can be proved by 
straightforward induction on the derivation of 99 from F. 

Now suppose that F h ± and At+(v9) C At+(F). By rules (AE^) and 
(_Li?^) we prove that F h -0 for every infon i\} G y4t"*'(F). Then we derive 
F h by rules (A /), (-)-p /). ■ 
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Lemma 4.3 //F 1/ ± m P and T \- ip in P[-Ltt,] then T \- ip in P. 

Proof, r 1/ ± in P implies that F 1/ ± in P[-L,„] because the shortest deriva- 
tion of _L from F cannot use the {-LE^^) rule. So any derivation in P[-L^] 
from F cannot use this rule. ■ 

The decision algorithm for P[-Ltt,] consists of the following three steps: 

1. Test whether F h (/? in P. If yes, then T \- (f in P[J-y^] too. Else go to 
step 2. 

2. Test whether F 1/ ± in P. If yes, then T \/ ip in P[-Ltt,] by Lemma 14.31 
Else go to step 3. 

3. We have F h ± in P, so it is also true in P[_L^]. Test the condition 
At+{(p) C At+{T). If it is fulfilled then F h in P[±^]; otherwise 
T\/(p in P[±^] (Lemma 112]) • 

Linear time complexity bounds for steps 1,2 follow from the linear bound 
for P. In order to prove the same bound for step 3 we use the preprocessing 
stage of the linear time decision algorithm from |5]. It deals with sequents 
F h (/; in a language that extends the language of P[_L^]. The preprocessing 
stage is purely syntactic, so it does not depend on the logic involved and can 
be used for P[-L^] as well. 

The algorithm constructs the parse tree for the sequent. Two nodes are 
called homonyms if they represent two occurrences of the same infon. For 
every homonymy class, the algorithm chooses a single element of it, the 
homonymy leader, and labels all nodes with pointers that provide a constant 
time access from a node to its homonymy leader. All this can be done in 
linear time (see [S]). 

Now it takes a single walk through the parse tree to mark by a special 
fiag all homonymy leaders that correspond to infons G At~^{r). One more 
walk is required to test whether all homonymy leaders that correspond to 
G Af^lip) already have this fiag. Thus we have a linear time test for the 
inclusion At+{Lp) C At+{T). 

Theorem 4.4 The derivability problem for infon logic P[-Lw] is linear time 
decidable. 
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5 Primal disjunction and backdoor emulation 



Primal infon logic with disjunction P[V] was studied in [1]. It is defined by 
all rules of P and usual introduction and elimination rules for disjunction. 
P[V] can emulate the classical propositional logic, so the derivability problem 
for it is co-NP-complete. 

Here we consider the logic P[Vp], an efficient variant of P[V]. It was 
mentioned in [3] and later was incorporated into Basic Propositional Primal 
Infon Logic PPIL [5j as its purely propositional fragment without modalities. 
In P[Vp] the standard disjunction is replaced by a "primal" disjunction Vp 
with introduction rules 



i^ph) (^ = 1,2) 



and without elimination rules. It results in a linear-time complexity bound 
for P[Vp] (and for PPIL too, see [1],[5]). 

When the primal implication is treated as encryption, the primal dis- 
junction can be used as a method to construct group keys. An infon of the 
form 

(V^i Vp ip2) tp (5) 

represents a ciphertext that can be decrypted by anyone who has at least 
one of the keys cpi or (p2- In P the same effect can be produced by the infon 

i^i^pi/j) A{if2^pip), (6) 

but it requires two copies of ip to be encrypted. Moreover, a principal A 
who does not know both keys (fi and <^2 fails to distinguish between 
and {ipi — T-p ipi) A {lp2 — T-p ip2)- If A receives ([6]) from some third party and 
forwards it to some principals B and C, she will never be sure that B and C 
will get the same plaintext after decryption. Group keys eliminate the length 
growth and ambiguity. 

An infon algebra for P[Vp] has an additional total operation gr: (S*)^ — >■ 
S* for evaluation of primal disjunction: v{ip\/pip) = gr{v{ip),v{'ilj)). The 
corresponding closure condition in Definition 12.11 will be 

5. If a e M, 6 G S* or 6 G M, a G S* then gr{a, b) G M. 

All the results of Section [3] (Lemma 13. H Theorems 13.21 13.31) hold for P[Vp] 
too. The proofs are essentially the same. 
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P[±^] is linear-time reducible to P[Vp], so P[Vp] and PPIL can emu- 
late the backdoor based on a universal key. The reduction also gives another 
proof for Theorem I4.4[ 

Remember that in the language of P[Vp] symbol _L denotes some regular 
atomic infon. Consider the following translation: 



The transformation of T, if into F*, Lp* can be implemented in linear time. 
Theorem 5.1 T ^ ^ m P[±^] iff T* h if* m P[Vp]. 

Proof. Part "only if" can be proved by straightforward induction on the 
derivation of Lp from assumptions F in P[±u,]. For any inference rule of P[_Liu], 
its translation is derivable in P[Vp]. For example, consider the elimination 
rules for — j-p and ±: 



Part "if". Let F* h ip* in P[Vp]. Note that P[Vp] is the modal-free 
fragment of PPIL and the shortest derivation of Lp* from assumptions F* in 
PPIL is also a derivation in P[Vp]. Let D be this derivation. 

It is proved in [5] that any shortest derivation is local. For the case 
of P[Vp] it means that all formulas from D are subformulas of T*,Lp*. In 
particular, Vp occurs in D only in subformulas of the form ± Vp 

Case 1. Suppose that the (Vp/i) rule is never used in D. Remove part 
"_LVp" from every subformula of the form ± Vp -0 that occurs in D. The 
result will be a derivation of Lp from assumptions F in P. So F h (/? in P[-Ltt,] 
too. 

Case 2. Suppose that the (Vp/i) rule is used in D. It has the form 



q* = q for g G At U {T,±}, 

{Lp^^l)Y = ip* Atp\ 

{lp ^p ^)* = (± Vp LP*) ->p 1p 

T* = {lp* \Lpe F}. 



±Vp(/?* ±Vp</^* ^p r 



±ypLp* _L Vp LP* ->p if)* 



r 



r 



± Vp ' 



(7) 
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so D also contains a derivation of _L. The corresponding subderivation is the 
shortest one and does not use the (Vp/i) rule. By applying the transformation 
from Case 1 we prove that F h ± in P and _L G At~^{r). 
We extend Definition 14.11 with new item 

so At~^{ilj) is defined for every ip in the language of P[Vp]. Moreover, At~^{(p*) = 
At+{ip) and At+{T*) = At+{T). We claim that At+{ip*) C At+{T*). 

Indeed, consider D as a proof tree and its node i/j with At~^{ip) ^ At^(T*) 
whereas At~^{il)') C At~^{r*) holds for all predecessors -0'. The only rule that 
can produce this effect is (^^, so ifj = -LVp 6* for some 9 where all occurrences 
of "new" atoms q € \ At^{r*) are inside 9*. 

Consider the path from the node ip to the root node Lp* and the trace 
of iIj along it. There is no elimination rule for Vp, so ip cannot be broken 
into pieces. All occurrences of positive atoms in 9* will be positive in all 
formulas along the trace. But Vp occurs in only in the premise of primal 
imphcation, so the trace does not reach the root node. Thus, at some step 
the formula containing ip will be eliminated and "new" atoms from 6* will 
never appear in At~^{(p*): 



± Vp 9* 



V2 

We have established that At+{Lp) C At+{T). But T h _L in P and in 
P[±u,], so r h (/? in P[-L^] by Lemma ■ 



Comment. It is also possible to reduce P[-Li„] to P. The corresponding 
reduction is two-step translation. One should convert f into and then 
replace all subformulas of the form ([5]) in it with ([6]). Unfortunately, the 
second step results in the exponential growth of the length of a formula. 
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